http://www.palmbeachpost.com/business/content/business/epaper/2007/02/20/m1a_hack_0220.html By Pat Beall Palm Beach Post Staff Writer February 20, 2007 A posse of 30 attorneys general, including Florida's, is looking into how hackers wormed their way into a customer database holding personal information on customers of Marshalls, TJ Maxx and HomeGoods. The thieves didn't just make off with credit card information of patrons of the popular retailers, which are owned by a Massachusetts-based public company. The illicit bounty included personal checks, debit cards and possibly driver licenses. That's just the kind of information used to steal someone's identity and rack up debts on the unsuspecting victim's bank and credit card accounts. Already, fraudulent purchases in Florida have been linked to the hijacked data, according to the Massachusetts Bankers Association. "We are looking into what has happened," confirmed Sandi Copes, press secretary for Florida Attorney General Bill McCollum. McCollum sits on the executive committee of the multistate probe, which is being led by the attorney general for Massachusetts. "Essentially at this stage we are fact-finding," said Emily LaGrassa, communications director for Massachusetts Attorney General Martha Coakley. "How did the breach occur? Were there measures that could have been taken, or were there measures in place?" At issue is personal information on shoppers stockpiled by The TJX Cos Inc., the corporate parent to TJ Maxx, Marshalls and a handful of other retail chains. Nineteen of its HomeGoods, TJ Maxx and Marshalls stores are in Palm Beach County and along the Treasure Coast. The $16 billion company (NYSE: TJX, $28.47) announced in January it had unearthed evidence of hackers in December. Although theft of personal information is not new, it rarely garners such close attention by the attorneys general. According to a report in The Wall Street Journal, the databases that were breached had 40 million names. TJX has said the true numbers are much smaller but has not disclosed how many customers were affected. "That is one of the things we are looking at," said LaGrassa, the spokeswoman for the Massachusetts attorney general. TJX is a global retailer with operations in Britain, Canada, Puerto Rico and Ireland. Data in those countries also was compromised, according to the company. Then there's "the sheer volume of information retained," said Paul Stephens, a policy analyst with the California-based Privacy Rights Clearinghouse, a nonprofit advocacy group. "That is one of the important issues here." For instance, the Massachusetts Bankers Association has pointedly asked why the retailer was warehousing so much personal data on its customers. "It appears that they may have been capturing data that is unnecessary," said Daniel Forte, president of the group. Copes, at McCollum's office, said the company is cooperating. Even so, questions are popping up about why the company waited a month before alerting customers. When bandits lifted information on 19,000 AT&T Inc. customers last summer, company notifications went out within 48 hours. The TJX discovery came at the height of the holiday retail buying season, yet its announcement wasn't made for several weeks. The company says it was bowing to the wishes of law enforcement authorities who wanted to keep hackers in the dark. Critics have asked whether the company was trying to protect seasonal sales. The largest confirmed wholesale data theft involved 163,000 customers. That was the result of a breach of date compiled by ChoicePoint Inc. Fallout from that case was a public relations catastrophe for the company, which also saw its stock price dip. ChoicePoint (NYSE: CPS, $39.04) did what it could to stem criticism. For example, it offered to pay for one full year of credit monitoring for all 163,000 consumers whose personal information was sold. TJX has not offered to track customers' credit reports. Stephens said the incident raises a more fundamental question: "Why did they need to retain that sort of information and then leave it in a place that was networked and could be accessed?" ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Tue Feb 20 2007 - 22:56:13 PST